XenForo 1.5.2 Released (Includes Security Fix)

Company Info

Today, we are pleased to release XenForo 1.5.2. This release fixes a number of bugs and issues that were found since the release of 1.5.1.

Importantly, this release includes a fix for a potential security issue discovered by Miguel Ángel Jimeno (@migueljimeno96). The issue employs a tactic known as "reverse tabnabbing" in which a link that opens in a new tab contains code that can redirect the original tab to another URL, which could be used as a phishing attempt. We strongly recommend all customers follow one of the below methods to fix this security issue.

Method 1: Upgrade to the New Version

You may upgrade to XenForo 1.5.2 to fix this issue. You should upgrade as you would to any other release. See further below in this announcement for more details on this release.

Method 2: Install the Patch (for 1.5 Users)

Download the patch zip file attached to the end of this message. It contains 2 files:

js/xenforo/xenforo.js

js/xenforo/full/xenforo.js

These 2 files should be uploaded to your server, overwriting the existing files of the same names.

Note that with this method there is no outward indication that the patch has been applied. We recommend upgrading if possible.

Other Changes in 1.5.2

In addition to smaller bug fixes, 1.5.2 changes how the link proxy system works. It will no longer attempt to manipulate the URL of the target before it is clicked, instead using a background ajax request to log the click when it happens. This improves accuracy with logging, including successfully logging details that previously weren't logged, and reduces interference with systems that change URLs dynamically (such as inserting affiliate links). However, this may cause add-ons that manipulate the link proxy (such as to show intersitial pages) to no longer function. They will need to be updated to use their own technique for this.

Some of the bugs fixed in 1.5.2 include:

Add a "quiet zone" to the QR code shown when enabling two-step verification via an app.

Ensure that spam checking is run when editing a thread title.

Do not autolink across "[" to prevent problems when a URL is surrounded by something that looks like a BB code.

Where necessary, the merge system within the "Outdated Templates" page should be used to integrate these changes.

Please note that we are now formally recommending that you upgrade to PHP 5.4 or newer. Our intention with XenForo 2.0 is to require PHP 5.4 or newer. If you are running PHP 5.3 or 5.2, you will receive a warning when installing or upgrading XenForo.

All customers with active licenses may now download the new version from the customer area.

This release follows our principle that third-point (x.x.X) releases should always be more stable than the preceding version, so for the most part you will not find new features in this release. Major new features will be reserved for second point versions (x.X.x).